Google has been ordered to overhaul its privacy policies to ensure the company is “crystal clear” about what it does with users’ personal data, following the confirmation that a French court has kicked out the tech giant’s appeal against its €50m (£44m) GDPR fine issued last year.
The case was triggered by complaints from two European pressure groups, La Quadrature du Net and None Of Your Business (NOYB), which is led by the Austrian privacy campaigner Max Schrems.
The complaints, which were filed within days of GDPR coming into force, claimed that Google uses a strategy of “forced consent” to continue processing individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for the provision of the service.
A similar complaint was lodged against Facebook and its subsidiaries.
Following an investigation, French data protection regulator CNIL (Commission Nationale de l’informatique et des Libertés) ruled in January last year that Google had failed to be transparent in its consent policies.
The regulator found that the tech giant made it too difficult for users to understand and manage preferences on how their personal information was being harvested, in particular with regards to targeted advertising.
In its appeal at the Conseil d’État – launched days after the initial ruling – Google argued that France did not have jurisdiction over the company and that, under the one-stop-shop GDPR regime, any complaints should be heard by the Irish Data Protection Commissioner.
However, the court rejected that argument. It stated: “Google believed that the Irish DPC was solely competent to control its activities in the European Union…according to a ‘one-stop-shop’ principle instituted by the GDPR. The Council of State notes however that at the date of the sanction, the Irish subsidiary of Google had no power of control over the other European subsidiaries nor any decision-making power over the data processing, the company Google LLC located in the United States with this power alone.”
In response to this part of the ruling, Schrems said: “It is very important that companies like Google cannot simply declare themselves to be ‘Irish’ to escape the oversight by the privacy regulators.”
Confirming the decision to reject the appeal, the Conseil d’État said: “The Council confirms the CNIL’s assessment that information relating to targeting advertising is not presented in a sufficiently clear and distinct manner for the consent of the user to be validly collected.”
Meanwhile, the Irish DPC has 65 official investigations under way, with over two dozen statutory GDPR inquiries into multinational tech giants. More than half relate to Facebook and its WhatsApp and Instagram subsidiaries. It also has three probes into Apple, and one each into LinkedIn, Quancast, Verizon and Tinder.
Google faces defeat in appeal against €50m GDPR fine
Google appeals €50m fine, insisting it followed guidance
Google ruling puts digital marketing industry on alert
Google hit for €50m as French issue first GDPR fine
Let battle commence: first GDPR complaints are filed